Dropbox Accounts Were Accessible by Anyone for Four Hours on Sunday

A code update left Dropbox, the popular cloud storage service, password-free for about four hours on Monday afternoon.

0shares

A code update left Dropbox, the popular cloud storage service, password-free for about four hours on Sunday evening.

During this time, anyone could access any of Dropbox's 25 million user accounts by typing in any password.

The lapse occurred between 1:54 p.m. to 5:46 p.m. PT. According to Dropbox's blog post, "much less" than one percent of its members logged in during this period. However, the company still isn't clear whether any improper behavior occurred during the time. If you suspect any strange activity on your account, you can email support@dropbox.com.

"This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again," the company wrote in a rather vague blog post.

The bug was first posted on Pastebin, another storage ground often used by programmers, by cybersecurity researcher Christopher Soghoian, who is pursuing a doctorate at the University of Indiana. An unnamed person tipped him off when he realized that even obvious typos made during his password entry could log him into his account.

Soghoian was most likely contacted because he has been scrutinizing Dropbox's security system for months. In May, he filed an FTC complaint against the company for misrepresenting its security level, and using a type of encryption technology that put its users at risk of data breaches and identity theft.

Dropbox encrypts data for its users, which gives the company the power to access its users' data. Most likely, the reasoning behind this is in case a user forgets his or her password. However, Soghoian says the company falsely advertised on its website that only the user could access his own data.

At the time Dropbox countered that it has "strict policy prohibitions" and "access controls" to prevent most of its employees from being able to access user files.

Nonetheless, Monday's negligence has made Dropbox even more unpopular with users:

Sara Yin is a junior analyst in the Software, Internet, and Networking group at PCmag.com, pouring most of her energy into app testing and security matters at Security Watch with Neil Rubenking. She lies awake at night pondering the state of mobile security (half-true).
Prior to joining PCMag.com, Sara spent five years reporting for publications in New York City (Huffington Post), Hong Kong (South China Morning Post), and Singapore (Campaign Asia, Men's Health).
Follow her on Twitter at @SecurityWatch and @sarapyin, or contact her the...
More »

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service

//our current issue

Select Term:

24 issues for $29.99 ONLY $1.25 an issue! Lock in Your Savings!

12 issues for $19.99ONLY $1.67 an issue!

State

Country

This transaction is secure

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service